Ultimate Collection - { fslWeb & faisalmb.com } Ultimate Collection - { fslWeb & faisalmb.com }   
Home   |   Site   |   Posts (399)   |   Tags Xplorer   |   Feed SubscribeFree! Aha! you surfing post Clock ticking on worm att...    Partner Site - Real Home Contact Search   

Tue

27

Jan

2009

Tue-27-01-2009
Likes     Dislikes
   

Clock ticking on worm attack code

Experts are warning that hackers have yet to activate the payload of the Conficker virus.

Clock ticking on worm attack code.jpg

The worm is spreading through low security networks, memory sticks, and PCs without current security updates.

The malicious program - also known as Downadup or Kido - was first discovered in October 2008.

Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.

Speaking to the BBC, F-Secure's chief research officer, Mikko Hypponen, said there was still a real risk to users.

"Total infections appear to be peaking. That said, a full count is hard, because we also don't know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.

"It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.

"But they haven't done that yet, maybe they're scared. That's good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect."

Experts say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch. The patch is known as KB958644.

 start_quote_rb.gif Even having the Windows patch won't keep you safeend_quote_rb.gif
Graham Cluley
Sophos

Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.

"Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.

"A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.

"What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order," he added.

"But as the virus can be spread with USB memory sticks, even having the Windows patch won't keep you safe. You need anti-virus software for that."

Method

According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

start_quote_rb.gif  Right now, we're seeing hundreds of thousands of [infected] unique IP addresses end_quote_rb.gif
Toni Koivunen, F-Secure

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.

Variant

Speaking to the BBC, Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters.

"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems

"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

"Of course, the real problem is that people haven't patched their software," he added.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

Source:news.bbc.co.uk/2/hi/technology/7832652.stm

 



Add Comment Post comment

 
 
 
   Country flag

Click to change image  --> 

biuquote
  • Comment
  • Preview
Loading





Intro

Faisal Bashir
Consultant / Software Architect
KalSoft Limited Dubai
Microsoft Certified Technology Specialist.
[more]

Right Now

How could u reach the pearl by only looking at the sea? if u seek the pearl, be a diver: the diver needs several qualities, he must trust his rope and his life to the Friend's hand, he must stop breating and he must jump - Jalaluddin Rumi.

Random Visuals

Recent Comments

Comment RSS

(Swear) By the time. Undoubtedly, man is in loss. Except those who believed and did goog deeds and enjoin on each other truth, and enjoin on each other patience. (The Quraan - Al Asar 103-1to3)

1658134 hits. (Best viewed @ 1024x768 resolution min.) Comments here...
© 2001-2014 Muhammad Faisal | Disclaimer | Contact | Partner Site